ERM’s Rock Star Status

During the past few years, reams have been written in insurance-industry journals about enterprise risk management (ERM). Much of the ink has been spent alternately attributing its prominence to government regulations, explaining how to adopt an effective ERM program at a company and dispensing tips on how to “sell” ERM to senior executives. At the same time, risk management membership organizations have seized on the topic and their ERM seminars are selling out almost as fast as Rolling Stones concerts.

Not surprisingly, the concept of addressing risk holistically within a single, integrated framework is also gaining new traction in the boardroom. This can be attributed to a number of factors, including increased scrutiny from regulatory and ratings agencies, the growing interdependency of businesses and economies and the increasing complexity of the global risk landscape. Likewise, there’s increased pressure on companies’ senior management to assure to their many stakeholder groups that business risks are being properly managed.

But is ERM for real, or is it all just a big show? ERM is very much the rock star of current industry trends; at its best, it represents a useful tool for responsibly managing a broad spectrum of risk. At its worst, however, it has the potential to devolve into an overwrought exercise that misses one too many trees for the forest.

Part of the problem is that ERM has yet to enjoy a definition or approach that neatly gets its arms around a vast process — one that involves measuring, in aggregate, strategic, operational, financial and hazard risks across the entire enterprise.

Furthermore, in this complex world of ERM — one in which silos are broken down, key interdependencies are evaluated and risks are integrated — companies can often get bogged down trying to quantify everything that could threaten their organization. The problem being, these risks could be highly interrelated. If your CEO behaves poorly, for example, it may hurt your company’s reputation. But what may not be so top of mind is that your firm’s reputation can also suffer if one of your plants burns down and leaves you unable to meet customer demand.

And what if your business strategy is such that, in order to stay competitive, you have to establish a plant or a relationship with a third-party vendor in China? There’s a risk, of course, associated with that strategy: as you expand your supply chain, how do you prudently protect your investment? How do you evaluate that vendor plant, pinpointing its key exposures and the potential impact to your organization? Keep in mind, though, it’s a calculated risk: the return could be significant. ERM can be an intimidating undertaking. In fact, FM Global’s findings indicate most global FORTUNE 1000-size companies have not yet formally adopted an ERM approach to risk management.

Having said that, a significant and growing number of these companies are planning to implement one at least to some degree — some, perhaps, begrudgingly. A leading industry media outlet recently reported that 23.4% of risk managers who said their companies had or were planning to implement an ERM program believed new government regulations motivated the decision. Indeed, in the wake of corporate scandals and recent crises in the credit markets, many companies’ operations and accountability are being examined under a much more powerful microscope. Whatever their motivation, however, and despite any dilemmas they might have analyzing a raft of emerging risks, companies need not be discouraged about implementing an ERM program.

The good news is that ERM, while holistic in scope, collapses neatly, like a telescopic tin drinking cup, into a base of fundamental risk management. At its core, ERM follows the time-honored four-or five-step risk management process. Such a process advises to:

• identify and assess risk;

• avoid and reduce risk;

• accept and transfer risk; and

• manage and monitor risk.

This should no doubt be a comfort to risk managers who are considering adopting an ERM program. Whether the ERM cup holds water depends on the integrity of that base.

One does not need Monte Carlo simulations or stochastic modelling to narrow the risk or the range of outcomes: science does that. When it comes to protecting against the damaging effects of windstorms, for example, it’s proven that if you nail down the roof properly, it won’t blow off. If you board up your windows with wood of a certain thickness, wind-blown projectiles won’t pierce your building’s envelope. Applying what’s scientifically proven, you can eliminate or substantially minimize hazardous risk. In doing so, you can help maximize your competitive advantage.

Since no two organizations are alike, no two will manage risk the same way. Some companies will content themselves with traditional risk management; others, seeking a more intense program as their businesses expand across the globe, will take a more strategic approach. ERM is intended to take just such a strategic approach.

At the same time companies desiring an intensive risk management program are wrestling with their risk appetite (what they can tolerate from a frequency and severity standpoint), others may choose to start by conducting a business impact analysis (BIA), often associated with business continuity management (BCM). A BIA can help an organization better understand the business interruption exposures its operations face. The company can then use this information to communicate to the board of directors the impact of each exposure, or they can use the information to assist in prioritizing risk management strategies.

Of course, ERM itself exists along the same continuum that includes traditional and what some have called “progressive” risk management. It can be applied to different degrees, or modified to suit an organization’s business plan. Some risk managers suggest the wide range of ERM practices should no longer be referred to as ERM, but rather as ERM-oriented. Thus, for each ERM-practicing or ERMoriented company that invests millions in rigorous, computational risk analyses, another simply gathers senior managers in a room, asks for a show of hands regarding the potential impact of each risk on the business and then plots the results on a graph. The idea behind both methods is the same: to arrive at a threshold below which the company can absorb the risk, and above which it must either reduce the loss potential or transfer the risk via an insurance policy.

Needless to say, the implementation of an effective ERM program takes a good deal of time and significant resources. Plus, the program must now stand up to the external scrutiny of an organization’s many constituencies. But if you’re considering ERM, you can start simply enough: first, take a hard look at just the relevant risks. Understand the key vulnerabilities of your extended enterprise that could seriously affect your bottom line. Then, apply the traditional risk management process to them.

Companies that take such actions — accounting for their organization’s business objectives, as well as their stakeholders’ needs — better ensure they are running their businesses with a safety net. In today’s high-risk world, that can contribute greatly to your organization’s overall resilience.

———

At its best, ERM represents a useful tool for responsibly managing a broad spectrum of risk. At its worst, it has the potential to devolve into an overwrought exercise that misses one too many trees for the forest.